use of sun.security.x509.CertificatePoliciesExtension in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testPolicy.
/*
* Tests matching on the policy constraints extension contained in the
* certificate.
*/
private void testPolicy() throws IOException {
System.out.println("X.509 Certificate Match on certificatePolicies");
// test encoding of CertificatePoliciesExtension because we wrote the
// code
// bad match
X509CertSelector selector = new X509CertSelector();
Set<String> s = new HashSet<>();
s.add(new String("1.2.5.7.68"));
selector.setPolicy(s);
checkMatch(selector, cert, false);
// good match
DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.32"));
CertificatePoliciesExtension ext = new CertificatePoliciesExtension(false, in.getOctetString());
List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES);
// match on the first policy id
PolicyInformation policyInfo = (PolicyInformation) policies.get(0);
s.clear();
s.add(policyInfo.getPolicyIdentifier().getIdentifier().toString());
selector.setPolicy(s);
checkMatch(selector, cert, true);
}
use of sun.security.x509.CertificatePoliciesExtension in project jdk8u_jdk by JetBrains.
the class PolicyChecker method processPolicies.
/**
* Processes certificate policies in the certificate.
*
* @param certIndex the index of the certificate
* @param initPolicies the initial policies required by the user
* @param explicitPolicy an integer which indicates if a non-null
* valid policy tree is required
* @param policyMapping an integer which indicates if policy
* mapping is inhibited
* @param inhibitAnyPolicy an integer which indicates whether
* "any-policy" is considered a match
* @param rejectPolicyQualifiers a boolean indicating whether the
* user wants to reject policies that have qualifiers
* @param origRootNode the root node of the valid policy tree
* @param currCert the Certificate to be processed
* @param finalCert a boolean indicating whether currCert is the final
* cert in the cert path
* @return the root node of the valid policy tree after modification
* @exception CertPathValidatorException Exception thrown if an
* error occurs while processing policies.
*/
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, int explicitPolicy, int policyMapping, int inhibitAnyPolicy, boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException {
boolean policiesCritical = false;
List<PolicyInformation> policyInfo;
PolicyNodeImpl rootNode = null;
Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
if (origRootNode == null)
rootNode = null;
else
rootNode = origRootNode.copyTree();
// retrieve policyOIDs from currCert
CertificatePoliciesExtension currCertPolicies = currCert.getCertificatePoliciesExtension();
// PKIX: Section 6.1.3: Step (d)
if ((currCertPolicies != null) && (rootNode != null)) {
policiesCritical = currCertPolicies.isCritical();
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "policiesCritical = " + policiesCritical);
try {
policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
} catch (IOException ioe) {
throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
}
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
boolean foundAnyPolicy = false;
// process each policy in cert
for (PolicyInformation curPolInfo : policyInfo) {
String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
if (curPolicy.equals(ANY_POLICY)) {
foundAnyPolicy = true;
anyQuals = curPolInfo.getPolicyQualifiers();
} else {
// PKIX: Section 6.1.3: Step (d)(1)
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "processing policy: " + curPolicy);
// retrieve policy qualifiers from cert
Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) {
throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY);
}
// PKIX: Section 6.1.3: Step (d)(1)(i)
boolean foundMatch = processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, false);
if (!foundMatch) {
// PKIX: Section 6.1.3: Step (d)(1)(ii)
processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, true);
}
}
}
// PKIX: Section 6.1.3: Step (d)(2)
if (foundAnyPolicy) {
if ((inhibitAnyPolicy > 0) || (!finalCert && X509CertImpl.isSelfIssued(currCert))) {
if (debug != null) {
debug.println("PolicyChecker.processPolicies() " + "processing policy: " + ANY_POLICY);
}
processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, true);
}
}
// PKIX: Section 6.1.3: Step (d)(3)
rootNode.prune(certIndex);
if (!rootNode.getChildren().hasNext()) {
rootNode = null;
}
} else if (currCertPolicies == null) {
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "no policies present in cert");
// PKIX: Section 6.1.3: Step (e)
rootNode = null;
}
// resulting in a null tree
if (rootNode != null) {
if (!finalCert) {
// PKIX: Section 6.1.4: Steps (a)-(b)
rootNode = processPolicyMappings(currCert, certIndex, policyMapping, rootNode, policiesCritical, anyQuals);
}
}
if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) && (currCertPolicies != null)) {
rootNode = removeInvalidNodes(rootNode, certIndex, initPolicies, currCertPolicies);
// PKIX: Section 6.1.5: Step (g)(iii)
if ((rootNode != null) && finalCert) {
// rewrite anyPolicy leaf nodes (see method comments)
rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
}
}
if (finalCert) {
// PKIX: Section 6.1.5: Steps (a) and (b)
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, finalCert);
}
if ((explicitPolicy == 0) && (rootNode == null)) {
throw new CertPathValidatorException("non-null policy tree required and policy tree is null", null, null, -1, PKIXReason.INVALID_POLICY);
}
return rootNode;
}
use of sun.security.x509.CertificatePoliciesExtension in project jdk8u_jdk by JetBrains.
the class PolicyChecker method removeInvalidNodes.
/**
* Removes those nodes which do not intersect with the initial policies
* specified by the user.
*
* @param rootNode the root node of the valid policy tree
* @param certIndex the index of the certificate being processed
* @param initPolicies the Set of policies required by the user
* @param currCertPolicies the CertificatePoliciesExtension of the
* certificate being processed
* @returns the root node of the valid policy tree after modification
* @exception CertPathValidatorException Exception thrown if error occurs.
*/
private static PolicyNodeImpl removeInvalidNodes(PolicyNodeImpl rootNode, int certIndex, Set<String> initPolicies, CertificatePoliciesExtension currCertPolicies) throws CertPathValidatorException {
List<PolicyInformation> policyInfo = null;
try {
policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
} catch (IOException ioe) {
throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
}
boolean childDeleted = false;
for (PolicyInformation curPolInfo : policyInfo) {
String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "processing policy second time: " + curPolicy);
Set<PolicyNodeImpl> validNodes = rootNode.getPolicyNodesValid(certIndex, curPolicy);
for (PolicyNodeImpl curNode : validNodes) {
PolicyNodeImpl parentNode = (PolicyNodeImpl) curNode.getParent();
if (parentNode.getValidPolicy().equals(ANY_POLICY)) {
if ((!initPolicies.contains(curPolicy)) && (!curPolicy.equals(ANY_POLICY))) {
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "before deleting: policy tree = " + rootNode);
parentNode.deleteChild(curNode);
childDeleted = true;
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "after deleting: policy tree = " + rootNode);
}
}
}
}
if (childDeleted) {
rootNode.prune(certIndex);
if (!rootNode.getChildren().hasNext()) {
rootNode = null;
}
}
return rootNode;
}
Aggregations